Github repository: https://github.com/EsupPortail/cas-toolbox-new
Since 2003, the Esup-portail consortium has developed and has provided tools to facilitate CAS server implementation at french universities and establishments.
This presentation will focus on the newest Esup CAS-toolbox v4 based on the Apereo CAS4 server distribution.
CAS-toolbox is a tool for
- Deploying a CAS server into an existing Tomcat installation,
- Simplifying and centralizing CAS configuration,
- Customizing the CAS server.
The "new Esup cas-toolbox" is designed to handle different configuration and/or customization levels with Maven WAR overlays :
- the 'cas-toolbox-core' folder contains the first level of Esup addons and preconfigurations to the original Apereo CAS server distribution.
- the 'cas-toolbox-custom' folder only contains the specific configurations and customizations files of the institution.
- the 'config.properties' file allows to centralize all properties.
"Esup CAS Packaging" : Deploy and customize easily a CAS4 server
1. Open Apereo 2015
Higher Education ... Open Source in a New Age
"Esup CAS Packaging": Deploy
and customize easily a CAS4 server
Ludovic Auxepaules UPMC, Paris, France
https://github.com/EsupPortail/cas-toolbox-new 1
2. Few words about UPMC
Pierre et Marie Curie University
• UPMC Facts and Figures
– French excellence in Medicine and Science
– 18 sites across 4 regions in France
• 15 in Paris region
• 3 stations (Banyuls, Roscoff, Villefranche)
– 34 000 students, of whom
• 20% foreign students
• 3300 doctoral candidates
– 10 500 staffs, of whom
• 8200 in research units (120 research laboratories)
• Ludovic Auxepaules
– At IT Department of UPMC since 2011
– Integration / Software Engineer
– “Portal, Authentication and Authorizations” Projects
– Github : https://github.com/auxepaul
– Member of Esup-Portail Consortium
2Open Apereo 2015
3. The Esup-Portail Consortium
Overview
• Objectives
– Facilitate learning and campus life for students... but also the daily work of the staff
members
– Pool development of digital services to divide costs between french universities
– Share technological developments and new services
– Conceive and plan for the evolution of portals, collaborative tools and mobile services
• Nine knowledge areas (with “working groups”)
– Portal solution (National “Digital Work Space” - “Espace Numérique de Travail” – ENT)
– Mobile
– Mail / Calendar solutions
– Groups
– OAE (Open Academic Environment)
– Authentication
– Document Management (DMS)
– Analytics
– Programming / Development
• Collaborations with Apereo Foundation
3Open Apereo 2015
4. The Esup-Portail Consortium
In Practice
• 70 member institutions
• Contributions from french universities and engineering schools
• Esup-Days: 2 conferences a year in Paris
– Esup-Days 19 & Apereo Europe in February 2015
• WebSite & Wiki: https://www.esup-portail.org/
• Github: https://github.com/EsupPortail
• For more information
– ESUP-Portail & OAE: Keys to success, Tomorrow from 2:30pm to 3:15pm
• http://lanyrd.com/2015/apereo/sdmmpt/
– Apereo & ESUP-Portail: Brothers in Arms (Open Apereo 2014)
• http://lanyrd.com/2014/apereo/sdbbgk/
– Alain Mayeur / Mathilde Guerin
4Open Apereo 2015
5. Plan of the presentation
• Some information about CAS
• Esup-Portail Works and Toolbox related to CAS
(2003-2011)
• New Esup CAS Toolbox v3 and v4 (2011-…)
5Open Apereo 2015
6. What is CAS?
• Central Authentication Service
SSO : a Single Sign-On / Single Sign-Off for the web
• A secure way for users to access multiple services/applications
– Passwords crypted and transmitted between the navigator and CAS
– Opaque tickets without personal informations
• An open-source project
– Created by Yale University in 2001
– Hosted by Jasig (now Apereo Foundation) since December 2004
• Wide adoption within higher education institutions and
corporations around the world
Open Apereo 2015 6
7. What is CAS?
• Public protocol specifications: CAS 1.0, 2.0 and 3.0
• One CAS server (written in JAVA)
– Authenticate users and grant accesses to applications
• N CAS client embedded in cassified applications
– Protect and retrieve the identity of the granted users from the server
• Key concepts
– The TGT (Ticket Granting Ticket) stored in the CASTGC cookie,
represents a SSO session
– The ST (Service Ticket), transmitted as a GET parameter in urls,
stands for the access granted by the CAS server to
the cassified application for a specific user
Open Apereo 2014 7
8. A “recipe” to adopt CAS
Apereo 2014 (M. Moayyed)
• Use a latest stable version of the CAS server
• Add the “skin” of your institution
• Add the configuration of your institution
– How do users authenticate?
– Where do user attributes come from?
– Which application are allowed to use CAS?
• Build, test and deploy
• Update and secure cassified applications with CAS
clients
Open Apereo 2015 8
9. Requirements to deploy a server
• Java Development Kit 6 7 (8?)
• A Servlet container (Apache Tomcat 6 7)
• Apache Maven >= 3 (3.0.x)
• HTTP Apache Server 2.x with mod_proxy_ajp (Optional)
• SSL Certificates (CAS must use https in production)
• « Basic Knowledge » about the Spring Framework
CAS installation is a fundamentally source-oriented process
Open Apereo 2015 9
10. Jasig / Apereo CAS Server
Distributions since 2010
• CAS Server 4.0.1 January 2015 recommended in June 2015?
• CAS Server 4.0 May 2014 recommended in June 2014
• Security patches for SAML2 (e.g. Google Apps), HTTP attacks,…
– CAS Server 3.5.3 January 2015
– CAS-server-security-filter 1.0 August 2014 2.0.x May 2015
– CAS Server 3.5.2.1 April 2014
– CAS Server 3.4.12.1 April 2014
• CAS Server 3.5.2 February 2013 recommended in June 2013
...
• CAS Server 3.5.0 July 2012
• CAS Server 3.4.12 May 2012 recommended in June 2012
…
• CAS Server 3.4.7 March 2011
…
• CAS Server 3.4.0 May 2010
https://www.apereo.org/tags/cas-product-release https://github.com/Jasig/cas/releases/
10Open Apereo 2015
11. How to install / deploy a CAS server ?
• Install a quickstart produced by Apereo/Jasig or Esup-Portail
– Discover quickly CAS functionalities, perform trainings, demos…
• Do direct modifications in the source of a CAS stable version?
• Deploy a WAR and perform changes in the Tomcat webapps directory
– More difficult to update the CAS server
• Maven WAR Overlays
– The Apereo recommended method to deploy a CAS server
– Beware of files and directories movements during version upgrades
• Esup CAS-toolbox or Esup CAS-toolbox-new
– Facilitate deployment by centralizing configuration items and by presetting
some CAS modules
Open Apereo 2015 11
12. Open Apereo 2015
Higher Education ... Open Source in a New Age
HISTORY OF ESUP WORKS / TOOLBOX
AND CAS SERVER
2003-2007 Esup CAS Generic Handler Yale/Jasig CAS 2.x
2008-2011 Esup CAS-toolbox Jasig CAS 3.x
2011-2014 Esup CAS-toolbox-new v3 Jasig CAS 3.4.1x
2014-… Esup CAS-toolbox-new v4 Apereo CAS 4.x
12Open Apereo 2015
13. 2003-2007: Esup cas-generic
Ant-based project and Yale/Jasig CAS v2 Server
• Esup-Portail Generic Handler
– A plugin giving CAS the ability to authenticate users with different methods
• 3 packages
– esup-casgeneric
• The CAS Generic Handler, to be deployed into the cas-server sources hierarchy
– esup-cas-server
• The CAS Generic Handler, already shipped into CAS server
– esup-cas-quick-start
• An Apache Jakarta Tomcat-based package for CAS server, shipped with the Handler
• Latest release in SourceForge
– http://sourceforge.net/projects/esup-casgeneric/files/
• Documentations
– http://www.esup-portail.org/consortium/espace/SSO_1B/tech/cas/cas_install.html
Open Apereo 2015 13
15. 2008-2011: Esup cas-toolbox
Ant-based project and Jasig CAS v3 Server
• Overview
– Deploying a CAS server into an existing Tomcat installation
– Simplifying CAS configuration
– Customizing the CAS server
– Building quickstart distributions
• Handle different configuration customization levels
– An 'update' folder: containing add-ons to the original CAS Server
– A 'custom' folder : every customized aspects (skin, Java sources, configurations)
– A 'config.properties' file: properties used by the Spring configuration files
• Latest release in SourceSup and based on CAS v3.4.7
– https://sourcesup.renater.fr/frs/?group_id=401&release_id=1461
• Documentations
– https://wiki.jasig.org/display/CAS/CAS-toolbox
– https://subversion.renater.fr/cas-toolbox/tags/3.4.7-1/README
Open Apereo 2015 15
16. 2008-2011: Esup cas-toolbox
Deployment Example
• Download cas-toolbox.X-Y.tar.gz from
https://sourcesup.renater.fr/projects/cas-toolbox/ and expand
• Rename build.sample.properties to build.properties
• Set the deploy.path property in build.properties
• Rename config.sample.properties to config.properties
• Configure config.properties (and set customizations in the custom directory)
• Initialize by running ant init
• Deploy into an existing Tomcat by running ant deploy
• Start Tomcat and browse http://localhost:8080/cas
Open Apereo 2015 16
18. Open Apereo 2015
Higher Education ... Open Source in a New Age
NEW ESUP CAS TOOLBOX V3 AND V4
2011-2014 Esup CAS-toolbox-new v3 (CAS server 3.4.1x)
2014-… Esup CAS-toolbox-new v4 (CAS server 4.0.x)
Open Apereo 2015 18
19. Maven WAR Overlay
General principles
• Local sources control (with Git) that contains only specific dependencies,
configurations and customizations of the institution
– The pom.xml (Project Object Model) file describes the project, its dependencies
and automated tasks…
– Added or modified files or directories: .java, .properties, .xml,…
• Rebuilding of the Web application ARchive (WAR to deploy within Tomcat)
– From the original release version of the CAS server defined in the pom.xml file
– With all configurations and customizations in superposition
• Replacement of original files
• Documentations
– https://wiki.jasig.org/display/CASUM/Best+Practice+-
+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method
– http://jasig.github.io/cas/current/installation/Maven-Overlay-Installation.html
Open Apereo 2015 19
20. Maven WAR Overlay
Examples and demos for CAS server
• CAS server 3.4.1x
– https://subversion.renater.fr/cas-toolbox/branches/cas-toolbox-new/
– https://github.com/EsupPortail/cas-toolbox-new/tree/v3.4.x
• CAS server 3.5.x
– https://github.com/UniconLabs/simple-cas-overlay-template
– https://github.com/Unicon/unicon-cas-overlay
– https://github.com/leleuj/cas-overlay-3.5.x
• CAS server 4.0.x
– https://github.com/leleuj/cas-overlay-demo
– https://github.com/UniconLabs/simple-cas4-overlay-template
– https://github.com/EsupPortail/cas-toolbox-new/tree/v4.0.x
Open Apereo 2015 20
21. Esup cas-toolbox-new v3 and v4
Maven-based project and CAS 3.4.1x / 4.0.x
• Overview of the new toolbox capabilities
– Deploying a CAS server into an existing Tomcat installation
– Simplifying and centralizing CAS configuration
• config.properties file and Authentication “HandlersDiscover” functionality
– Esup pre-settings and add-ons
• Esup Theme, LDAP, Logging, TraceMe, Stats, BlockAttack, SAML 1.1…
• Configured modules that user can activate : Memcached, Rest…
– Quickstart built with Ant
• Initial works of simplification of the projet Esup cas-toolbox (J. Marchal)
– https://subversion.renater.fr/cas-toolbox/branches/cas-toolbox-new/
• Svn2git, transfer and update of the project on Github (L. Auxepaules)
– https://github.com/auxepaul/cas-toolbox-new
Open Apereo 2015 21
22. Esup cas-toolbox-new v3 & v4
Files and Directories organization
• cas-toolbox-core (Esup addons and preconfigurations)
– src/main
• java
• webapp
– pom.xml
• cas-toolbox-custom (University customizations and addons)
– src/main
• webapp
– pom.xml
• etc (HowTo and « scripts » examples)
• config.sample.properties (« localhost » configuration)
• pom.xml
• Better differentiation between the Esup and the Institution
customizations and configurations
• An integrator can easily copy the files from cas-toolbox-core (or
the Apereo CAS project) to cas-toolbox-custom and then
modify the files
Open Apereo 2015 22
25. Esup cas-toolbox-new v3 and v4
Statistics, Monitoring and Logs
• Esup Stats Page: /cas/stats.jsp
SERVICE_TICKET_CREATED : 1
TICKET_GRANTING_TICKET_CREATED : 1
AUTHENTICATION_SUCCESS : 1
AUTHENTICATION_FAILED : 1
SERVICE_TICKET_VALIDATED : 1
TICKET_GRANTING_TICKET_NOT_CREATED : 1
• Apereo Monitoring Page: /cas/status
Health: OK
1.MemoryMonitor: OK - 418,07MB free, 623,54MB total.
2.SessionMonitor: OK - 1 sessions. 0 service tickets.
• Esup User and Service Stats Logs: serviceStats.log
[Sun May 31 16:01:15 CEST 2015] [IP:127.0.0.1] [ID:admin] [TICKET:ST-1-ZW74nIKOVEECbowbB0BT-localhost]
[SERVICE:http://localhost:8080/cas-management/j_spring_cas_security_check] [USER-AGENT:Mozilla/5.0 (Windows
NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0]
• Apereo Performance Statistics Logs: perfStats.log
Performance Statistics 2015-05-31 16:01:00 - 2015-05-31 16:02:00
Tag Avg(ms) Min Max Std Dev Count
AUTHENTICATE 21,0 21 21 0,0 1
CREATE_TICKET_GRANTING_TICKET 25,0 25 25 0,0 1
GRANT_SERVICE_TICKET 3,0 3 3 0,0 1
VALIDATE_SERVICE_TICKET 1,0 1 1 0,0 1
25Open Apereo 2015
26. Esup cas-toolbox-new v3 and v4
Logging in Log4j.xml
• Tickets: tickets.log
2015-05-31 16:01:15,606 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-
1-ZW74nIKOVEECbowbB0BT-localhost] for service [http://localhost:8080/cas-
management/j_spring_cas_security_check] for user [admin]
• Success and failed authentications, blockAttack: auth.log (works with CAS 3)
Thu Dec 18 15:47:00 CET 2014 - AUTHENTICATION_FAILED for '[username: admin]' from '127.0.0.1'
AccountLockingService::incrementAttempts() : [admin] - number of attempts : 3 of
3AccountLockingService::isAccountLocked() : [admin] added to user list
AccountLockingService::isAccountLocked() : [admin] locked
Account "admin" is locked for : 3 s
AccountLockingService::run() : [admin] removed from user list
Thu Dec 18 15:48:00 CET 2014 - AUTHENTICATION_SUCCESS for '[username: admin]' from '127.0.0.1‘
• Rejected Services: rejectedServices.log
2015-05-31 16:02:31,091 WARN [org.jasig.cas.web.flow.ServiceAuthorizationCheck] - ServiceManagement:
Unauthorized Service Access. Service [http://loc:8080/cas-management/j_spring_cas_security_check] is not
found in service registry.
• CAS management Services: cas-management.log
2015-05-31 16:01:15,606 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-
1-ZW74nIKOVEECbowbB0BT-localhost] for service [http://localhost:8080/cas-
management/j_spring_cas_security_check] for user [admin]
• Trace (used by Esup AGIMUS-ng: Indicators and Usage): trace.log
TRACE-1-70RFFjeWwSqCfoqwHxUoimyMBELrhdlqAjhtlhoIpChkFnuG5f-localhost:admin
26Open Apereo 2015
27. Esup cas-toolbox-new v3 and v4
Deployment Example
• git clone https://github.com/EsupPortail/cas-toolbox-new.git
• git checkout v4.0.x
• Rename config.sample.properties to config.properties
• Set the deploy.path property in config.properties
• Configure config.properties
• (Set customizations in the cas-toolbox-custom directory)
• Initialize and deploy in an existing Tomcat by running mvn clean package
• Start Tomcat and browse
http://localhost:8080/cas
http://localhost:8080/cas-management
Open Apereo 2015 27
28. Esup cas-toolbox-new v3 and v4
Authentication handlers « Discover »
• Set Handlers to use in config.properties (reported in esup.properties file)
# Handler to use (cf casWEB-INF*.auth.xml to find id)
# - ldapFastBindHandler : make a fast bind in ldap (AD or direct bind configuration)
# - ldapFullBindHandler : make a search after a bind with find dn (OpenLdap or anonymous)
# - fileEncAuthHandler : use a flat encoded file
# - filePlainAuthHandler : use a flat plaintext file
authHandlers=fileEncAuthHandler
# IF USE ldapFullBindHandler
#authHandlers=fileEncAuthHandler,ldapFullBindHandler
authResolvers=primaryPrincipalResolver
# IF USE ldapFullBindHandler
#authResolvers=primaryPrincipalResolver,ldapPrincipalResolver
defaultResolver=primaryPrincipalResolver
• HandlersDiscover JAVA class: org.esupportail.cas.HandlersDiscover.java
– Browse the list of authentication Handlers, the list of authentication Resolvers
– Put each couple <AuthHandler, AuthResolver> within the HandlerMap used by
Authentication Manager bean
• Handlers to discover within srcmainwebappWEB-INFauth-configuration*-
auth.xml
Open Apereo 2015 28
30. Apereo CAS v4.0.x
Some new features, changes, updates
• New CAS 3.0 protocol: User attributes in ticket validation response
• Greater modularity and new submodules
– Services management, SAML 1.1
• Redesign authentication API
• Updated or replaced dependencies
– Spring LDAP Ldaptive
– REST module
– CredentialsToPrincipalResolver, ***Credentials*** class or attributes ***Credential***
• User Interface improvements (“Responsive”)
Source code not backward-compatible with 3.x
– Difficulties to export some configurations and customizations from 3.x to 4.x
• For more information
– The latest about the Central Authentication Service, Tomorrow from 10:15pm to 11:00pm
• http://lanyrd.com/2015/apereo/sdmmpw/
– http://jasig.github.io/cas/current/
Open Apereo 2015 30
31. Esup cas-toolbox-new v4
Things to do and Perspectives
• Fix bugs and test some functionalities and modules
– Fix SAML 1.1 (search filter bug), echos in cas.log…
– Set and Test Memcached
– Test REST
• Add and test new maven tasks to support development activities
– mvn jetty:run or mvn jetty;run-war
– mvn tomcat7:deploy or mvn tomcat7:redeploy
• Rewrite HowTo guides, documentations and links to the Apereo CAS
documentations and guides
• Replace old Esup functionalities by “equivalent” Apereo functionalities
– BlockAttacks Throttling Authentication Attempts
31Open Apereo 2014
32. Esup cas-toolbox-new v4
Things to do and Perspectives
• Set a new Esup theme (Responsive Web Design)
• Add and preset new authentication configurations
– Spnego (Kerberos Windows), Trusted (REMOTE_USER)…
• Add and preset other modules and functionalities of the Apereo CAS
server
– LPPE, Clearpass
• Study (and create?) more “specific” projects based on
– RBAC (Role-Based Access Control) by service with CAS and Grouper
– MFA (Multi-Factor Authentication) with the LOA implementation
32Open Apereo 2014
33. Open Apereo 2015
Higher Education ... Open Source in a New Age
DEMONSTRATION
33Open Apereo 2015
34. Demonstration
Windows demonstration environment
• Quickstart uPortal 4.1
– C:/portal
– Apache Maven 3.0.4
– Apache Tomcat 7.0.32
• Running scripts of tomcat in the apache-tomcat-7.0.32/bin directory
– startup.bat et shutdown.bat
• Oracle Java JDK 1.7
• Environment variables
– JAVA_HOME, JAVA_OPTS, CATALINA_OPTS
– Path : MAVEN_HOME%bin
• Git : Github for Windows
34Open Apereo 2014